Migrate VMware vSphere VMs to Azure (agent-based)
This article shows you how to migrate on-premises VMware vSphere VMs to Azure, using the Migration and modernization tool, with agent-based migration. You can also migrate VMware vSphere VMs using agentless migration. Compare the methods.
In this tutorial, you learn how to:
- Prepare Azure to work with Azure Migrate.
- Prepare for agent-based migration. Set up a VMware vCenter Server account so that Azure Migrate can discover machines for migration. Set up an account so that the Mobility service agent can install on machines you want to migrate, and prepare a machine to act as the replication appliance.
- Add the Migration and modernization tool
- Set up the replication appliance.
- Replicate VMs.
- Run a test migration to make sure everything's working as expected.
- Run a full migration to Azure.
Note
Tutorials show you the simplest deployment path for a scenario so that you can quickly set up a proof-of-concept. Tutorials use default options where possible, and don't show all possible settings and paths.
If you don't have an Azure subscription, create a free account before you begin.
Prerequisites
Before you begin this tutorial, review the VMware vSphere agent-based migration architecture.
Prepare Azure
Complete the tasks in the table to prepare Azure for agent-based migration.
Task | Details |
---|---|
Create an Azure Migrate project | Your Azure account needs Contributor or Owner permissions to create a project. |
Verify Azure account permissions | Your Azure account needs permissions to create a VM, and write to an Azure managed disk. |
Set up an Azure network | Set up a network that Azure VMs will join after migration. |
Assign permissions to create project
If you don't have an Azure Migrate project, verify permissions to create one.
In the Azure portal, open the subscription, and select Access control (IAM).
In Check access, find the relevant account, and select it to view permissions.
Verify that you have Contributor or Owner permissions.
- If you just created a free Azure account, you're the owner of your subscription.
- If you're not the subscription owner, work with the owner to assign the role.
Assign Azure account permissions
Assign the Virtual Machine Contributor role to the account, so that you have permissions to:
- Create a VM in the selected resource group.
- Create a VM in the selected virtual network.
- Write to an Azure managed disk.
Assign permissions to register the Replication Appliance in Microsoft Entra ID
If you are following the least privilege principle, assign the Application Developer Microsoft Entra role to the user registering the Replication Appliance. Follow the Assign administrator and non-administrator roles to users with Microsoft Entra ID guide to do so.
Set up an Azure network
Set up an Azure network. On-premises machines are replicated to Azure managed disks. When you fail over to Azure for migration, Azure VMs are created from these managed disks, and joined to the Azure network you set up.
Prepare for migration
Verify support requirements and permissions, and prepare to deploy a replication appliance.
Prepare an account to discover VMs
The Migration and modernization tool needs access to VMware vSphere to discover VMs you want to migrate. Create the account as follows:
- To use a dedicated account, create a role at the vCenter Server level. Give the role a name such as Azure_Migrate.
- Assign the role the permissions summarized in the table below.
- Create a user on the vCenter Server or vSphere host. Assign the role to the user.
VMware vSphere account permissions
Task | Role/Permissions | Details |
---|---|---|
VM discovery | At least a read-only user Data Center object –> Propagate to Child Object, role=Read-only |
User assigned at datacenter level, and has access to all the objects in the datacenter. To restrict access, assign the No access role with the Propagate to child object, to the child objects (vSphere hosts, datastores, VMs, and networks). |
Replication | Create a role (Azure Site Recovery) with the required permissions, and then assign the role to a VMware vSphere user or group Data Center object –> Propagate to Child Object, role=Azure Site Recovery Datastore -> Allocate space, browse datastore, low-level file operations, remove file, update virtual machine files Network -> Network assign Resource -> Assign VM to resource pool, migrate powered off VM, migrate powered on VM Tasks -> Create task, update task Virtual machine -> Configuration Virtual machine -> Interact -> answer question, device connection, configure CD media, configure floppy media, power off, power on, VMware tools install Virtual machine -> Inventory -> Create, register, unregister Virtual machine -> Provisioning -> Allow virtual machine download, allow virtual machine files upload Virtual machine -> Snapshots -> Remove snapshots |
User assigned at datacenter level, and has access to all the objects in the datacenter. To restrict access, assign the No access role with the Propagate to child object, to the child objects (vSphere hosts, datastores, VMs, and networks). |
Prepare an account for Mobility service installation
The Mobility service must be installed on machines you want to replicate.
- The Azure Migrate replication appliance can do a push installation of this service when you enable replication for a machine, or you can install it manually, or using installation tools.
- In this tutorial, we're going to install the Mobility service with the push installation.
- For push installation, you need to prepare an account that the Migration and modernization tool can use to access the VM. This account is used only for the push installation, if you don't install the Mobility service manually.
Prepare the account as follows:
- Prepare a domain or local account with permissions to install on the VM.
- For Windows VMs, if you're not using a domain account, disable Remote User Access control on the local machine by adding the DWORD entry LocalAccountTokenFilterPolicy, with a value of 1 in the registry, under HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
- For Linux VMs, prepare a root account on the source Linux server.
Prepare a machine for the replication appliance
The appliance is used to replication machines to Azure. The appliance is single, highly available, on-premises VMware vSphere VM that hosts these components:
- Configuration server: The configuration server coordinates communications between on-premises and Azure, and manages data replication.
- Process server: The process server acts as a replication gateway. It receives replication data; optimizes it with caching, compression, and encryption, and sends it to a cache storage account in Azure. The process server also installs the Mobility Service agent on VMs you want to replicate, and performs automatic discovery of on-premises VMware VMs.
Prepare for the appliance as follows:
- Review appliance requirements. Generally, you set up the replication appliance a VMware vSphere VM using a downloaded OVA file. The template creates an appliance that complies with all requirements.
- MySQL must be installed on the appliance. Review installation methods.
- Review the public cloud URLs, and Azure Government URLs that the appliance machine needs to access.
- Review the ports that the replication appliance machine needs to access.
Check VMware vSphere requirements
Make sure VMware vSphere VMs comply with requirements for migration to Azure.
- Verify VMware vSphere VM requirements.
- Verify VM requirements for migration.
- Verify Azure settings. On-premises VMs you replicate to Azure must comply with Azure VM requirements.
- There are some changes needed on VMs before you migrate them to Azure.
Note
Agent-based migration with the Migration and modernization tool is based on features of the Azure Site Recovery service. Some requirements might link to Site Recovery documentation.
Set up the replication appliance
This procedure describes how to set up the appliance with a downloaded Open Virtualization Application (OVA) template. If you can't use this method, you can set up the appliance using a script.
Download the replication appliance template
Download the template as follows:
In the Azure Migrate project, select Servers, databases and web apps under Migration goals.
In Servers, databases and web apps > Migration and modernization, click Discover.
In Discover machines > Are your machines virtualized?, click Yes, with VMware vSphere hypervisor.
In How do you want to migrate?, select Using agent-based replication.
In Target region, select the Azure region to which you want to migrate the machines.
Select Confirm that the target region for migration is region-name.
Click Create resources. This creates an Azure Site Recovery vault in the background. You can't change the target region for this project after clicking this button, and all subsequent migrations are to this region.
Note
If you selected private endpoint as the connectivity method for the Azure Migrate project when it was created, the Recovery Services vault will also be configured for private endpoint connectivity. Ensure that the private endpoints are reachable from the replication appliance: Learn more
In Do you want to install a new replication appliance?, select Install a replication appliance.
Click Download. This downloads an OVF template.
Note the name of the resource group and the Recovery Services vault. You need these during appliance deployment.
Import the template into VMware vSphere
After downloading the OVF template, you import it into VMware vSphere to create the replication application on a VMware vSphere VM running Windows Server 2016.
Sign in to the VMware vCenter Server or vSphere ESXi host with the VMware vSphere Client.
On the File menu, select Deploy OVF Template to start the Deploy OVF Template Wizard.
In Select source, enter the location of the downloaded OVF.
In Review details, select Next.
In Select name and folder and Select configuration, accept the default settings.
In Select storage > Select virtual disk format, for best performance select Thick Provision Eager Zeroed.
On the rest of the wizard pages, accept the default settings.
In Ready to complete, to set up the VM with the default settings, select Power on after deployment > Finish.
Tip
If you want to add an additional NIC, clear Power on after deployment > Finish. By default, the template contains a single NIC. You can add additional NICs after deployment.
Start appliance setup
- In the VMware vSphere Client console, turn on the VM. The VM boots up into a Windows Server 2016 installation experience.
- Accept the license agreement, and enter an administrator password.
- After the installation finishes, sign in to the VM as the administrator, using the admin password. The first time you sign in, the replication appliance setup tool (Azure Site Recovery Configuration Tool) starts within a few seconds.
- Enter a name to use for registering the appliance with the Migration and modernization tool. Select Next.
- The tool checks that the VM can connect to Azure. After the connection is established, select Sign in to sign in to your Azure subscription.
- Wait for the tool to finish registering a Microsoft Entra app to identify the appliance. The appliance reboots.
- Sign in to the machine again. In a few seconds, the Configuration Server Management Wizard starts automatically.
Register the replication appliance
Finish setting up and registering the replication appliance.
In appliance setup, select Setup connectivity.
Select the NIC (by default there's only one NIC) that the replication appliance uses for VM discovery, and to do a push installation of the Mobility service on source machines.
Select the NIC that the replication appliance uses for connectivity with Azure. Then select Save. You cannot change this setting after it's configured.
Tip
If for some reason you need to change the NIC selection and you have not clicked the Finalize configuration button in step 12, you can do so by clearing your browser cookies and restarting the Configuration Server Management Wizard.
If the appliance is located behind a proxy server, you need to specify proxy settings.
- Specify the proxy name as http://ip-address, or http://FQDN. HTTPS proxy servers aren't supported.
When prompted for the subscription, resource groups, and vault details, add the details that you noted when you downloaded the appliance template.
In Install third-party software, accept the license agreement. Select Download and Install to install MySQL Server.
Select Install VMware PowerCLI. Make sure all browser windows are closed before you do this. Then select Continue.
Note
In newer versions of the Replication Appliance the VMware PowerCLI installation is not required.
In Validate appliance configuration, prerequisites are verified before you continue.
In Configure vCenter Server/vSphere ESXi server, enter the FQDN or IP address of the vCenter server, or vSphere host, where the VMs you want to replicate are located. Enter the port on which the server is listening. Enter a friendly name to be used for the VMware server in the vault.
Enter the credentials for the account you created for VMware discovery. Select Add > Continue.
In Configure virtual machine credentials, enter the credentials you created for push installation of the Mobility service, when you enable replication for VMs.
- For Windows machines, the account needs local administrator privileges on the machines you want to replicate.
- For Linux, provide details for the root account.
Select Finalize configuration to complete registration.
After the replication appliance is registered, Azure Migrate Server Assessment connects to VMware servers using the specified settings, and discovers VMs. You can view discovered VMs in Manage > Discovered items, in the Other tab.
Replicate VMs
Select VMs for migration.
Note
In the portal you can select up to 10 machines at once for replication. If you need to replicate more, then group them in batches of 10.
In the Azure Migrate project > Servers, databases and web apps > Migration and modernization, click Replicate.
In Replicate, > Source settings > Are your machines virtualized?, select Yes, with VMware vSphere.
In On-premises appliance, select the name of the Azure Migrate appliance that you set up.
In vCenter server, specify the name of the vCenter server managing the VMs, or the vSphere server on which the VMs are hosted.
In Process Server, select the name of the replication appliance.
In Guest credentials, specify the VM admin account that will be used for push installation of the Mobility service. Then click Next: Virtual machines.
In Virtual Machines, select the machines that you want to replicate.
- If you've run an assessment for the VMs, you can apply VM sizing and disk type (premium/standard) recommendations from the assessment results. To do this, in Import migration settings from an Azure Migrate assessment?, select the Yes option.
- If you didn't run an assessment, or you don't want to use the assessment settings, select the No options.
- If you selected to use the assessment, select the VM group, and assessment name.
In Availability options, select:
- Availability Zone to pin the migrated machine to a specific Availability Zone in the region. Use this option to distribute servers that form a multi-node application tier across Availability Zones. If you select this option, you'll need to specify the Availability Zone to use for each of the selected machine in the Compute tab. This option is only available if the target region selected for the migration supports Availability Zones
- Availability Set to place the migrated machine in an Availability Set. The target Resource Group that was selected must have one or more availability sets in order to use this option.
- No infrastructure redundancy required option if you don't need either of these availability configurations for the migrated machines.
Check each VM you want to migrate. Then click Next: Target settings.
In Target settings, select the subscription, and target region to which you'll migrate, and specify the resource group in which the Azure VMs will reside after migration.
In Virtual Network, select the Azure VNet/subnet to which the Azure VMs will be joined after migration.
In Cache storage account, keep the default option to use the cache storage account that is automatically created for the project. Use the dropdown if you'd like to specify a different storage account to use as the cache storage account for replication.
Note
- If you selected private endpoint as the connectivity method for the Azure Migrate project, grant the Recovery Services vault access to the cache storage account. Learn more
- To replicate using ExpressRoute with private peering, create a private endpoint for the cache storage account. Learn more
In Availability options, select:
- Availability Zone to pin the migrated machine to a specific Availability Zone in the region. Use this option to distribute servers that form a multi-node application tier across Availability Zones. If you select this option, you'll need to specify the Availability Zone to use for each of the selected machine in the Compute tab. This option is only available if the target region selected for the migration supports Availability Zones
- Availability Set to place the migrated machine in an Availability Set. The target Resource Group that was selected must have one or more availability sets in order to use this option.
- No infrastructure redundancy required option if you don't need either of these availability configurations for the migrated machines.
In Disk encryption type, select:
- Encryption-at-rest with platform-managed key
- Encryption-at-rest with customer-managed key
- Double encryption with platform-managed and customer-managed keys
Note
To replicate VMs with CMK, you'll need to create a disk encryption set under the target Resource Group. A disk encryption set object maps Managed Disks to a Key Vault that contains the CMK to use for SSE.
In Azure Hybrid Benefit:
- Select No if you don't want to apply Azure Hybrid Benefit. Then click Next.
- Select Yes if you have Windows Server machines that are covered with active Software Assurance or Windows Server subscriptions, and you want to apply the benefit to the machines you're migrating. Then click Next.
In Compute, review the VM name, size, OS disk type, and availability configuration (if selected in the previous step). VMs must conform with Azure requirements.
- VM size: If you're using assessment recommendations, the VM size dropdown shows the recommended size. Otherwise Azure Migrate picks a size based on the closest match in the Azure subscription. Alternatively, pick a manual size in Azure VM size.
- OS disk: Specify the OS (boot) disk for the VM. The OS disk is the disk that has the operating system bootloader and installer.
- Availability Zone: Specify the Availability Zone to use.
- Availability Set: Specify the Availability Set to use.
In Disks, specify whether the VM disks should be replicated to Azure, and select the disk type (standard SSD/HDD or premium managed disks) in Azure. Then click Next.
- You can exclude disks from replication.
- If you exclude disks, they won't be present on the Azure VM after migration.
- You can exclude disks if the mobility agent is already installed on that server. Learn more.
In Tags, choose to add tags to your Virtual machines, Disks, and NICs.
In Review and start replication, review the settings, and click Replicate to start the initial replication for the servers.
Note
You can update replication settings any time before replication starts, Manage > Replicating machines. Settings can't be changed after replication starts.
Track and monitor
Track job status in the portal notifications.
To monitor replication status, click Replicating servers in Migration and modernization.
Replication occurs as follows:
- When the Start Replication job finishes successfully, the machines begin their initial replication to Azure.
- After initial replication finishes, delta replication begins. Incremental changes to on-premises disks are periodically replicated to the replica disks in Azure.
Run a test migration
When delta replication begins, you can run a test migration for the VMs, before running a full migration to Azure. We highly recommend that you do this at least once for each machine, before you migrate it.
- Running a test migration checks that migration will work as expected, without impacting the on-premises machines, which remain operational, and continue replicating.
- Test migration simulates the migration by creating an Azure VM using replicated data (usually migrating to a non-production VNet in your Azure subscription).
- You can use the replicated test Azure VM to validate the migration, perform app testing, and address any issues before full migration.
Do a test migration as follows:
In Migration goals > Servers, databases and web apps > Migration and modernization, select Test migrated servers.
Right-click the VM to test, and click Test migrate.
In Test Migration, select the Azure VNet in which the Azure VM will be located after the migration. We recommend you use a non-production VNet.
The Test migration job starts. Monitor the job in the portal notifications.
After the migration finishes, view the migrated Azure VM in Virtual Machines in the Azure portal. The machine name has a suffix -Test.
After the test is done, right-click the Azure VM in Replicating machines, and click Clean up test migration.
Note
You can now register your servers running SQL server with SQL VM RP to take advantage of automated patching, automated backup and simplified license management using SQL IaaS Agent Extension.
- Select Manage > Replicating servers > Machine containing SQL server > Compute and Network and select yes to register with SQL VM RP.
- Select Azure Hybrid benefit for SQL Server if you have SQL Server instances that are covered with active Software Assurance or SQL Server subscriptions and you want to apply the benefit to the machines you're migrating.hs.
Migrate VMs
After you've verified that the test migration works as expected, you can migrate the on-premises machines.
- In the Azure Migrate project > Servers, databases and web apps > Migration and modernization, select Replicating servers.
- In Replicating machines, right-click the VM > Migrate.
- In Migrate > Shut down virtual machines and perform a planned migration with no data loss, select Yes > OK.
- By default Azure Migrate shuts down the on-premises VM to ensure minimum data loss.
- If you don't want to shut down the VM, select No
- A migration job starts for the VM. Track the job in Azure notifications.
- After the job finishes, you can view and manage the VM from the Virtual Machines page.
Complete the migration
- After the migration is done, right-click the VM > Stop replication. This does the following:
- Stops replication for the on-premises machine.
- Removes the machine from the Replicating servers count in the Migration and modernization tool.
- Cleans up replication state information for the VM.
- Verify and troubleshoot any Windows activation issues on the Azure VM.
- Perform any post-migration app tweaks, such as host names, updating database connection strings, and web server configurations.
- Perform final application and migration acceptance testing on the migrated application now running in Azure.
- Cut over traffic to the migrated Azure VM instance.
- Remove the on-premises VMs from your local VM inventory.
- Remove the on-premises VMs from local backups.
- Update any internal documentation to show the new location and IP address of the Azure VMs.
Post-migration best practices
- On-premises
- Move app traffic over to the app running on the migrated Azure VM instance.
- Remove the on-premises VMs from your local VM inventory.
- Remove the on-premises VMs from local backups.
- Update any internal documentation to show the new location and IP address of the Azure VMs.
- Tweak Azure VM settings after migration:
- The Azure VM agent manages VM interaction with the Azure Fabric Controller. It's required for some Azure services, such as Azure Backup, Site Recovery, and Azure Security. When migrating VMware VMs with agent-based migration, the Mobility Service installer installs Azure VM agent on Windows machines. On Linux VMs, we recommend that you install the agent after migration.
- Manually uninstall the Mobility service from the Azure VM after migration. We recommend that you reboot the server when prompted.
- Manually uninstall VMware tools after migration.
- In Azure:
- Perform any post-migration app tweaks, such as updating database connection strings, and web server configurations.
- Perform final application and migration acceptance testing on the migrated application now running in Azure.
- Business continuity/disaster recovery
- Keep data secure by backing up Azure VMs using the Azure Backup service. Learn more.
- Keep workloads running and continuously available by replicating Azure VMs to a secondary region with Site Recovery. Learn more.
- For increased security:
- Lock down and limit inbound traffic access with Microsoft Defender for Cloud - Just in time administration.
- Manage and govern updates on Windows and Linux machines with Azure Update Manager.
- Restrict network traffic to management endpoints with Network Security Groups.
- Deploy Azure Disk Encryption to help secure disks, and keep data safe from theft and unauthorized access.
- Read more about securing IaaS resources, and visit the Microsoft Defender for Cloud.
- For monitoring and management:
- Consider deploying Microsoft Cost Management to monitor resource usage and spending.
Next steps
Investigate the cloud migration journey in the Azure Cloud Adoption Framework.